feat: Allow subjects to act as Owner to bypass the webhook

api/v1beta2/additional_role_bindings.go

@@ -8,5 +8,6 @@ import rbacv1 "k8s.io/api/rbac/v1"
 type AdditionalRoleBindingsSpec struct {
 	ClusterRoleName string `json:"clusterRoleName"`
 	// kubebuilder:validation:Minimum=1
-	Subjects []rbacv1.Subject `json:"subjects"`
+	Subjects   []rbacv1.Subject `json:"subjects"`
+	ActAsOwner bool             `json:"actAsOwner"`
 }

charts/capsule/crds/capsule.clastix.io_tenants.yaml

@@ -68,6 +68,8 @@ spec:
                   the RoleBinding for the given ClusterRole. Optional.
                 items:
                   properties:
+                    actAsOwner:
+                      type: boolean
                     clusterRoleName:
                       type: string
                     subjects:
@@ -103,6 +105,7 @@ spec:
                         x-kubernetes-map-type: atomic
                       type: array
                   required:
+                  - actAsOwner
                   - clusterRoleName
                   - subjects
                   type: object
@@ -1093,6 +1096,8 @@ spec:
                   the RoleBinding for the given ClusterRole. Optional.
                 items:
                   properties:
+                    actAsOwner:
+                      type: boolean
                     clusterRoleName:
                       type: string
                     subjects:
@@ -1128,6 +1133,7 @@ spec:
                         x-kubernetes-map-type: atomic
                       type: array
                   required:
+                  - actAsOwner
                   - clusterRoleName
                   - subjects
                   type: object

docs/content/general/crds-apis.md

@@ -1652,6 +1652,11 @@ Optional.<br/>
           kubebuilder:validation:Minimum=1<br/>
         </td>
         <td>true</td>
+      </tr><tr>
+        <td><b>actAsOwner</b></td>
+        <td>bool</td>
+        <td>If subject is treated as owner for namespace creation by admission webhook. Subject still requires permission from RBAC</td>
+        <td>false<td>
       </tr></tbody>
 </table>
 

pkg/api/additional_role_bindings.go

@@ -10,5 +10,6 @@ import rbacv1 "k8s.io/api/rbac/v1"
 type AdditionalRoleBindingsSpec struct {
 	ClusterRoleName string `json:"clusterRoleName"`
 	// kubebuilder:validation:Minimum=1
-	Subjects []rbacv1.Subject `json:"subjects"`
+	Subjects   []rbacv1.Subject `json:"subjects"`
+	ActAsOwner bool             `json:"actAsOwner"`
 }

pkg/webhook/ownerreference/patching.go

@@ -153,8 +153,8 @@ func (h *handler) setOwnerRef(ctx context.Context, req admission.Request, client
 
 			return &response
 		}
-		// Tenant owner must adhere to user that asked for NS creation
-		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
+		// Tenant owner must adhere to user that asked for NS creation or a subject in the Tenant's AdditionalRoleBindings with ActAsTenantOwner
+		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) && !utils.IsActAsTenantOwner(tnt.Spec.AdditionalRoleBindings, req.UserInfo) {
 			recorder.Eventf(tnt, corev1.EventTypeWarning, "NonOwnedTenant", "Namespace %s cannot be assigned to the current Tenant", ns.GetName())
 
 			response := admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")

pkg/webhook/utils/is_act_as_tenant_owner.go

@@ -0,0 +1,34 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	authenticationv1 "k8s.io/api/authentication/v1"
+
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+func IsActAsTenantOwner(additionalRoleBindings []api.AdditionalRoleBindingsSpec, userInfo authenticationv1.UserInfo) bool {
+	for _, additionalRoleBinding := range additionalRoleBindings {
+		if additionalRoleBinding.ActAsOwner {
+			for _, subject := range additionalRoleBinding.Subjects {
+				switch subject.Kind {
+				case string(capsulev1beta2.UserOwner), string(capsulev1beta2.ServiceAccountOwner):
+					if userInfo.Username == subject.Name {
+						return true
+					}
+				case string(capsulev1beta2.GroupOwner):
+					for _, group := range userInfo.Groups {
+						if group == subject.Name {
+							return true
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return false
+}